CVE-2025-69633 in Advanced Popup Creator Module
Summary
by MITRE • 02/14/2026
A SQL Injection vulnerability in the Advanced Popup Creator (advancedpopupcreator) module for PrestaShop 1.1.26 through 1.2.6 (Fixed in version 1.2.7) allows remote unauthenticated attackers to execute arbitrary SQL queries via the fromController parameter in the popup controller. The parameter is passed unsanitized to SQL queries in classes/AdvancedPopup.php (getPopups() and updateVisits() functions).
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 02/20/2026
The vulnerability identified as CVE-2025-69633 represents a critical SQL injection flaw within the Advanced Popup Creator module for PrestaShop, affecting versions ranging from 1.1.26 through 1.2.6. This security weakness resides in the module's handling of user input within the popup controller, specifically targeting the fromController parameter that flows directly into database operations without proper sanitization. The affected module operates as a popup management system for PrestaShop e-commerce platforms, making it a potential vector for attackers to compromise the underlying database infrastructure and extract sensitive information. The vulnerability is particularly concerning as it allows remote unauthenticated attackers to exploit the flaw, eliminating the need for valid credentials or privileged access to initiate malicious database operations.
The technical implementation of this vulnerability occurs within the classes/AdvancedPopup.php file where two key functions demonstrate the insecure parameter handling. The getPopups() and updateVisits() functions receive the fromController parameter without adequate input validation or sanitization, allowing malicious SQL payloads to be executed directly against the database. This pattern aligns with CWE-89, which categorizes SQL injection as a weakness that occurs when an application fails to properly sanitize user input before incorporating it into SQL queries. The flaw demonstrates poor input validation practices where the module assumes all input from the fromController parameter is safe and legitimate, creating an attack surface that enables arbitrary SQL command execution. Attackers can manipulate this parameter to inject malicious SQL syntax that bypasses normal database security controls and potentially retrieves, modifies, or deletes sensitive data from the PrestaShop database.
The operational impact of this vulnerability extends beyond simple data theft, as it provides attackers with potential access to customer information, order details, and administrative credentials stored within the PrestaShop database. The unauthenticated nature of the attack means that any visitor to a vulnerable website could potentially exploit this flaw, making it particularly dangerous for e-commerce platforms that handle sensitive customer data. Database administrators may face unauthorized access to customer records, payment information, and business-critical data that could be used for identity theft, financial fraud, or competitive intelligence gathering. The vulnerability also creates potential for data corruption or service disruption if attackers choose to execute destructive SQL commands against the database infrastructure. This type of attack falls under ATT&CK technique T1071.004, which describes application layer protocol manipulation, specifically targeting database protocols through SQL injection techniques.
Organizations running affected versions of the Advanced Popup Creator module should prioritize immediate mitigation through the available patch in version 1.2.7, which properly sanitizes the fromController parameter before processing. Security teams should implement network monitoring to detect potential exploitation attempts and consider deploying web application firewalls that can identify and block SQL injection payloads targeting this specific vulnerability. Database access controls should be reviewed to ensure that the application's database user account has minimal required privileges, reducing the potential impact of successful exploitation. Additionally, regular security audits of third-party modules should be conducted to identify similar vulnerabilities that may exist within the broader PrestaShop ecosystem, as this vulnerability demonstrates how insecure parameter handling in popular e-commerce extensions can create widespread security risks across multiple online stores.